exploiut-db:- D/ V0 ]0 s$ r! D3 X; R! X
, P; r7 |: }# K4 @FCKEditor ASP Version 2.6.8 File Upload Protection Bypass) [" L" \0 D% B4 T
1 q* z9 P5 }* i' Z1 k7 Y
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
4 f7 ]" B7 n o, x% E* ^- Credit goes to: Mostafa Azizi, Soroush Dalili! e( K: ]% v" t4 n( [1 `
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
& R. a: ]* p- ]8 }- Description:# B& D/ m) i( Q" ?) X& `9 p
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is) ]1 R8 \0 Y! d" Q4 y$ Y- ^9 g
dealing with the duplicate files. As a result, it is possible to bypass/ F& v* C1 ~: [6 P* T
the protection and upload a file with any extension.) e% W( B9 w% S: d" @) b
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole// ]7 j+ r8 O2 `0 v6 l+ H; ]
- Solution: Please check the provided reference or the vendor website.4 v( t. K) ^3 [& i
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
" q2 V5 Q% X7 j8 ^2 k6 P4 K"8 J% Z; z3 P+ i! C1 @2 c
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:. q% a3 D* J, d6 X. Z |
In “config.asp”, wherever you have:
3 ]" C4 S. U# _' \) W W ConfigAllowedExtensions.Add “File”,”Extensions Here”4 t; X8 f+ w v5 z1 k7 `* P; [
Change it to:# } P1 a- v% u4 }6 x3 p) X6 k
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
" u/ z& i7 a7 _% N9 n5 Q7 Y5 b1 O1 A
$ c E2 g' L7 m ! i9 n4 [+ x+ p
J) c; ^1 g. {$ g0 l* y3 |
5 j) K6 C: m: b; O4 V5 B# W9 a8 R2 l3 z0 `: p
php测试无效1 ^& G6 T3 k. |) }! H; N: l3 X# J9 H
asp/aspx测试成功:' X D! }1 A6 r0 `3 K* C# o
来到/FCKeditor/editor/filemanager/connectors/test.html
\" f8 P( M/ L& U- Y5 W5 b$ r+ l! O因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
( o% r+ U' k, z/ R! {$ n. `
0 L9 l2 ?$ A4 Wburpsuite上传包并修改,repeater
7 D9 u; q9 v) t5 X6 _ w- N* }& u名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
" V' w6 B; [4 ]+ [2 q' f, g" ^+ K2 g' D: O. x% F# k
如图,webshell为:http://localhost/userfiles/file/asd(1).asp
6 a4 w, i( D, j% E
6 ]/ c, r# l% b3 X3 I |
发表于 2012-12-10 10:18:50
收藏
支持
反对